Yuanzhang Li,Shangjun Yao,Ruyun Zhang,Chen Yang

DOI: https://doi.org/10.1002/int.22330

IF: 8.993

2020-11-10

International Journal of Intelligent Systems

Abstract:<p>Security monitoring and analysis can help users to timely perceive threats faced by the host, thereby protecting and backup data and improving the host's security status. In the research domain of host security analysis, many feasible solutions have been proposed. However, real‐time performance and accuracy still need improvement. This paper proposes a host security analysis method based on Dempster–Shafer (D‐S) evidence theory. It adopts three models of support vector regression, logistic regression, and K‐nearest neighbor regression, as sensors for multisource information fusion. Multiple sensors perform security analysis on the host, respectively, and use the analysis results as evidence of D‐S evidence theory. Experiments show that the proposed method provides effective security protection for the host in terms of absolute error, root mean square error, and the average absolute percentage error.</p>

computer science, artificial intelligence

Cuixia Gao,Zhitang Li

DOI: https://doi.org/10.1109/MINES.2009.150

2009-01-01

Abstract:Anomaly detection means developing a reference profile of normal activity and comparing the ongoing activity against it. Anomaly detection is very promising because of its potential to detect unseen types of attacks. In this paper we present our preliminary research on host anomaly detection by fusing multi-source security information. We selected five types of information which may be good indicators of host anomalies. They are RAM usage, host network connections, usage of bandwidth, the alert of antivirus and the alert of our own project SATA. In the information fusion framework, the D-S evidence theory was used to fuse the dynamic host-related information. Some improvements are also discussed. We also use real-world environment to demonstrate the method's capability for detecting host anomaly. We show that our prototype can successfully detect most of anomalies caused by DOS, scanning and other attacks.

Cuixia Gao,Zhitang Li,Haigang Song

DOI: https://doi.org/10.1109/mue.2009.88

2009-01-01

Abstract:After analyzing malicious attacks against host that affect the host resource usage a method is presented to evaluate the security situation of host system based on host resource availability. A group of factors that can reflect the host resource availability features in a fixed time window are selected as the evaluation metrics. Based on the large samples, the information entropy gain method is applied to determine the importance of evaluation results for different metrics. Then by using analytic hierarchy process (AHP) method, the evaluation results are regarded as the normalized abnormality value to evaluate the host risk status. If the value of host risk status is larger than the threshold then an alert is triggered. Experiments show that this method can reasonably evaluate the host risk status caused by most of attacks.

Jiangpeng Shu,Haibo Ma,Wei Ding,Zhenfen Jin

DOI: https://doi.org/10.3390/buildings14041144

IF: 3.324

2024-01-01

Buildings

Abstract:The safety condition assessment of prestressed concrete bridges is currently subject to great uncertainty due to the subjectivity of data collection and data types. This study proposes an improved evidence fusion method, improving the conventional Dempster–Shafer fusion method to reduce assessment inaccuracies caused by data uncertainty. Firstly, the uncertain analytic hierarchy process was applied to construct a three-level safety assessment model for 15 different indicators with their initial weights. Secondly, the fuzzy matter element theory was proposed to obtain basic probability assignments required for the evidence fusion. Finally, an improved evidence fusion method was proposed based on the evidence credibility and preprocessing corrections for highly conflicting evidence. In this study, a prestressed concrete bridge in eastern China was used as a case study to perform a comprehensive safety assessment and verify the effectiveness and practicality of the proposed method. The assessment results demonstrate that the improved fusion method in this study can deal with conflicting evidence better than existing fusion methods. Compared with conventional fuzzy AHP method, it has greater sensitivity to certain indicators with severe damages, which prevents those indicators from being overshadowed by other well-performing ones in the overall assessment.

Tao Zhang,MingZeng Hu,Xiaochun Yun,Dong Li

2005-01-01

Journal of Computational Information Systems

Abstract:Due to the rapid development of computer network system, the traditional methods like vulnerability scanning to analyze network security are confronting large challenges, because it cannot consider the security information synthetically. To get the security situation of network, a system of network security analysis using information fusion is designed and implemented in this present study. The study implements the network data collection based on TCP/IP protocol utilizing multi-sensors which covers large scale domains. The data are fused in data layer, so the computer information and network information are collected. These include the operating system type, the network service and the simple network topology. By associating the information with vulnerability and attack method, the model for network security analysis is built. This study has generated a network attack graph to represent the security states of the computer network.

Cuixia Gao,Zhitang Li,Lin Chen

DOI: https://doi.org/10.1109/EBISS.2009.5138070

2009-01-01

Abstract:Malicious behavior will lead to abnormal network traffic patterns. This paper presents a network traffic based method to evaluate the security situation of hosts. A group of variables that can reflect the network traffic feature in a fixed time window are selected as the evaluation metrics. Based on the large samples, we report on a preliminary proof-of-concept approach, that's logistic regression Analysis, to evaluate the probability of host that run into insecure status. The evaluation results are regarded as the normalized abnormality value to evaluate the network traffic of hosts. Experiments and testing show that this method can reasonably evaluate the host network abnormal traffic.

Ee-Chien Chang,Liming Lu,Yongzheng Wu,Roland H. C. Yap,Jie Yu

DOI: https://doi.org/10.1007/s10207-011-0130-9

2011-01-01

International Journal of Information Security

Abstract:We propose a framework that uses (external) environment information to enhance computer security. The benefit of our framework is that the environment information is collected by sensors that are outside the control of a host and communicate to an external monitor via an out-of-band channel (w.r.t. the host), thus it cannot be compromised by malware on a host system. The information gathered still remains intact even if malware uses rootkit techniques to hide its activities. Our framework can be applied for a number of security applications: (1) intrusion detection; (2) rate monitoring/control of external resources; and (3) access control. We show that that the framework is useful even with coarse-grained and simple information. We present some experimental prototypes that employ the framework to detect/control email spam, detect/control DDoS zombie attacks and detect misuse of compute resources. Experimental evaluation shows that the framework is effecting in detecting or limiting the activities of such malware. The growing popularity of multimodal sensors and physical security information management systems suggests that such environmental sensors will become common making our framework cost effective and feasible in the near future.

Xiu-Zhen Chen,Qing-Hua Zheng,Xiao-Hong Guan,Chen-Guang Lin,Jie Sun

DOI: https://doi.org/10.1016/j.cose.2004.08.009

IF: 5.105

2005-01-01

Computers & Security

Abstract:How to evaluate network security threat quantitatively is one of key issues in the field of network security, which is vital for administrators to make decision on the security of computer networks. A novel model of security threat evaluation with a series of quantitative indices is proposed on the analysis of prevalent network intrusions. This model is based on multiple behavior information fusion and two indices of privilege validity and service availability that are proposed to evaluate the impact of prevalent network intrusions on system security, so as to provide security evolution over time, i.e., monitor security changes with respect to modification of security factors. The Markov model and the algorithm of D-S evidence reasoning are proposed to measure these two indices, respectively. Compared with other methods, this method mitigates the impact of unsuccessful intrusions on threat evaluation. It evaluates the impact of important intrusions on system security comprehensively and helps administrators to insight into intrusion steps, determine security state and identify dangerous intrusion traces. Testing in a real network environment shows that this method is reasonable and feasible in alleviating the tremendous task of data analysis and facilitating the understanding of the security evolution of the system for its administrators.

Zhang Yongzheng,FANG Binxing,YUN Xiaochun

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.14.053

2005-01-01

Abstract:With increasing security problems of information technology, developers of information security products seek for the trusted security assessment by the third part. But there are some defects in present assessment methods for host software systems. This paper proposes a quantitative risk assessment approach for host system security, combining with the vulnerability information in software system. An assessment instance is given to analyze the assessment algorithm. Finally, this paper illuminates the advantages of this assessment approach.

陈秀真,郑庆华,管晓宏,林晨光

DOI: https://doi.org/10.3321/j.issn:0253-987X.2004.12.005

2004-01-01

Abstract:Aiming at the weakness of being unable to evaluate the threat of combination of vulnerabilities on network security for most systems of security evaluation, a novel model of security evaluation based on rough set theory was put forward. This model considered the vulnerability as a security factor and the security evaluation model was built from historical evaluation records by using attribute reduction. Further, the measurement model of hierarchical security risk with three levels: security factor, service and host computer, was built, which calculated the security risk of the host by weighting the importance of service and security factor, then the security situation of the system was analyzed and evaluated. Compared with other evaluation methods, this method can create a rule-based model of security evaluation automatically and has advantage of evaluating threat of isolated security factor and combination of security factors on the same host. It can also monitor the impact of changes of the system configuration on system security. Nine useful rules for security evaluation were discovered from 7 days' evaluation records and security situation curves were established through simulation experiment, which shows that evaluation results by our method are more accurate and intuitive than others.

Xi Rongrong,Yun Xiaochun,Hao Zhiyu

DOI: https://doi.org/10.1049/iet-ifs.2018.5189

2019-01-01

IET Information Security

Abstract:A large number of data is generated to help network analysts to evaluate the network security situation in traditional detection and prevention measures, but it is not used fully and effectively, there is not a holistic view of the network situation on it for now. To address this issue, a framework is proposed to evaluate the security situation of the network from three dimensions: threat, vulnerability and stability, and merge the results at decision level to measure the security situation of the overall network. In the case studies, the authors demonstrate how the framework is deployed in the network and how to use it to reflect the security situation of the network in real time. Results of the case study show that the framework can evaluate the security situation of the network accurately and reasonably.

Junjiang He,Cong Tang,Wenshan Li,Tao Li,Li Chen,Xiaolong Lan

DOI: https://doi.org/10.1109/tifs.2023.3324388

IF: 7.231

2023-11-25

IEEE Transactions on Information Forensics and Security

Abstract:Host-based intrusion detection systems (HIDS) have been widely acknowledged as an effective approach for detecting and mitigating malicious activities. Among various data sources utilized in HIDS, system call traces have gained significant popularity due to their inherent advantage of providing fine-grained information. Nevertheless, conventional feature extraction techniques relying on system calls tend to overlook the issue of high-dimensional sparse feature space. In this paper, we conduct a theoretical analysis to investigate the underlying causes of the sparsity problem. Subsequently, we propose an anti-sparse theory (anti-ST) as a solution to address this issue. Then, we design a multi-granularity feature extraction method (MGFE), which also meets the prerequisite mathematical conditions of the anti-ST. By applying this method, we effectively reduce the size of the feature space and minimize the number of generated features, thus mitigating sparsity. Furthermore, leveraging this approach, we propose a robust and anti-sparsity host intrusion detection framework, known as the MGFE-based Host Intrusion Detection Framework (BR-HIDF). A series of experiments were conducted to evaluate the proposed framework and compare it with the state-of-the-art method. The results demonstrate that our framework achieves impressive accuracy (97.26%), precision (97.62%), recall (96.85%), and F1 score (97.23%) in the intrusion detection task, surpassing existing frameworks. Moreover, the proposed framework significantly reduces the time overhead by 38.80%, exhibiting the highest AUC value of 0.992. Furthermore, we enhance the robustness of the detection system by integrating host-based and network-based detection, which provides greater flexibility in identifying various types of attacks.

computer science, theory & methods,engineering, electrical & electronic

Zhang Yong-zheng,Fang Bin-xing,Yun Xiao-chun,Z. Tao

2004-01-01

Abstract:To provide the security confidence of information produ trusted security assessment by the third part. But there are some def as overmuch subjective factors, rough evaluation results and lack paper combines network-based scanning technology with the id quantitative risk assessment approach for host software system, and assessment algorithm. Key-Words: Network security; Risk assessment; Assessment polic

Limao Zhang,Ying Wang,Xianguo Wu

DOI: https://doi.org/10.1016/j.asoc.2021.107189

IF: 8.7

2021-06-01

Applied Soft Computing

Abstract:<p>This paper proposes a hybrid soft computing approach that integrates the Dempster-Shafer (D-S) evidence theory and cluster analysis for probabilistic risk analysis in complex projects under uncertainty. The fusion model tends to solve multi-criteria decision-making problems with a focus on the information content reflected from evidence. Risk factors are quantified into a continuous numeric scale for risk level classification and each factor value is turned into a basic probability assignment (BPA). A sorting operator is used to aggregate the evidence into risk level based clusters. The D-S evidence theory is first used to fuse similar evidence within each cluster, and then the weighted ratio method is used to fuse conflict evidence between clusters. The fused result is defuzzied into a crisp value to give a conveniently referred value for decision-making. Global sensitivity analysis is conducted to depict the effect of each risk factor on the overall estimated risk level. The developed approach is used to assess the water leakage condition of Line 2 of the Wuhan metro system in China to demo its feasibility. The tunnel is assessed to lie in a good condition with a tolerance of 5% measurement error. The proposed two-step fusion process is capable to reserve more details through computation and enhances the confidence in risk classification results compared to that based on a separate piece of evidence. This research contributes to (a) a systematic classification and fusion-based quantitative risk analysis method; (b) practical risk assessment of water leakage in operational tunnels.</p>

computer science, artificial intelligence, interdisciplinary applications

Jie Ma,Zhi-tang Li,Hong-wu Zhang

DOI: https://doi.org/10.1109/AICI.2009.487

2009-01-01

Abstract:Current practice for real-time security risk assessment typically takes intrusion detection systems alerts as the only source of risk factor. Their assessment results are more likely to suffer from the impact of false positive alerts in the increasingly complex and severe network security environment. This paper proposes a novel online fusion model for dynamical network risk assessment by using multiple risk factors. The model is composed by three fusion levels. First, an online alert fusion algorithm is proposed and the redundancy of the raw alerts is dramatically reduced. Then, the model employs Dempster-Shafer theory to handle uncertainties and ignorance existed in the multiple risk factors. Threats in different kinds of severity levels are identified. Finally, the whole network risk distribution is dynamically calculated and reported by using HMM approach. Experiments show the effectiveness and validity of our method.

Tingting Yao,Qinghua Zheng,Xiaohong Guan,Xiuzhen Chen

DOI: https://doi.org/10.3321/j.issn:0253-987X.2006.04.011

2006-01-01

Abstract:After analyzing malicious attacks against network that affect the service availability and would lead to the abnormal change of the network traffic, a method to evaluate the security situation of real-time traffic of hosts is presented. A group of statistic that can reflect the network traffic features in a fixed time window are selected as the evaluation metrics. Based on the large samples, the information entropy gain method is applied to determine the importance of evaluation results for different metrics. Then, using hierarchical weighted method, the evaluation results are regarded as the normalized abnormality value to evaluate the real time traffic of host networks. Experiments and testing show that this method can reasonably evaluate the host network abnormal flows caused by the DDoS, DoS worm and other attacks, and has good evaluation results for new attacks that cause abnormal change of network traffic.

Qilei Wang

DOI: https://doi.org/10.1038/s41598-022-08079-2

IF: 4.6

2022-03-08

Scientific Reports

Abstract:Abstract In order to effectively assess all types of security risks in the important event, the important decision-making basis for security risk warning and emergency management of important event is provided by analyzing the coupling relationship and evolution mechanism between various risks. The criminal causes, management defects, security and emergency system construction are analyzed from the possibility of accidents and risks. The multi-source data risk assessment system based on five subsystems and its index set of human factors, management factors, site factors, event factors and audit factors are proposed. The weight of each index in the assessment system is determined by the method of information entropy, and then the risk grade of important event is determined according to the weight calculation function and the improved fuzzy matter element model. The verification with an example shows that: the risk assessment model is optimized by combining entropy weight with fuzzy matter-element model, the influence of weight data extreme value was weakened, the qualitative description and quantitative analysis of multi-source data could be combined, and the subjective error was reduced. The risk grade of important event is reasonably evaluated, and the assessment effect is basically consistent with the expert inspection analysis, which shows that the method had certain application value.

multidisciplinary sciences

Kai Guo,Limao Zhang

DOI: https://doi.org/10.1111/risa.17651

2024-10-11

Risk Analysis

Abstract:The success of tunneling projects is crucial for infrastructure development. However, the potential leakage risk is particularly challenging due to the inherent uncertainties and fuzziness involved. To address this demanding challenge, a hybrid approach integrating the copula theory, cloud model, and risk matrix, is proposed. The dependence of multiple risk‐related influential factors is explored by the construct of the copula‐cloud model, and the diverse information is fused by applying the risk matrix to gain a crisp risk result. A case study is performed to test the applicability of the proposed approach, in which a risk index system consisting of nine critical factors is developed and Sobol‐enabled global sensitivity analysis (GSA) is incorporated to investigate the contributions of different factors to the risk magnitude. Key findings are as follows: (1) Risk statuses of the studied three tunnel sections are perceived as under grade I (safe), II (low‐risk), and III (medium‐risk), respectively, and the waterproof material aspect is found prone to deteriorating the tunnel sections. Furthermore, the proposed approach allows for a better understanding of the trends in the risk statuses of the tunnel sections. (2) Strong interactions between influential factors exist and exert impacts on the final risk results, proving the necessity of studying the factor dependence. (3) The developed neutral risk matrix presents a strong robustness and displays a higher recognition capacity in risk assessment. The novelty of this research lies in the consideration of the dependence and uncertainty in multisource information fusion with a hybrid copula‐cloud model, enabling to perform a robust risk assessment under different risk matrices with varying degrees of risk tolerance.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Wangyan Feng,Shuning Wu,Xiaodan Li,Kevin Kunkle

DOI: https://doi.org/10.48550/arXiv.1801.00025

2017-12-29

Cryptography and Security

Abstract:To assure cyber security of an enterprise, typically SIEM (Security Information and Event Management) system is in place to normalize security event from different preventive technologies and flag alerts. Analysts in the security operation center (SOC) investigate the alerts to decide if it is truly malicious or not. However, generally the number of alerts is overwhelming with majority of them being false positive and exceeding the SOC's capacity to handle all alerts. There is a great need to reduce the false positive rate as much as possible. While most previous research focused on network intrusion detection, we focus on risk detection and propose an intelligent Deep Belief Network machine learning system. The system leverages alert information, various security logs and analysts' investigation results in a real enterprise environment to flag hosts that have high likelihood of being compromised. Text mining and graph based method are used to generate targets and create features for machine learning. In the experiment, Deep Belief Network is compared with other machine learning algorithms, including multi-layer neural network, random forest, support vector machine and logistic regression. Results on real enterprise data indicate that the deep belief network machine learning system performs better than other algorithms for our problem and is six times more effective than current rule-based system. We also implement the whole system from data collection, label creation, feature engineering to host score generation in a real enterprise production environment.

Liang Liang,Peng Wang,Lin Tan

2013-01-01

Disaster Advances

Abstract:The comprehensive evaluation of information security risk is the key for executives in complex organizations to make macro decisions. Modern organizations have complicated structures and many levels. In addition, the influencing factors of organizing information security risk involve techniques, staffs and management. Under consideration of uncertainty on decision information, an improved fuzzy multi-criteria decision method is proposed. It combines fuzzy mathematics with partitioning method of space region, and provides a computing method for criteria weights by fusing criterion, thus to realize the comprehensive evaluation of organizing information security risk. Finally, an example of information security risk management for some large joint research project is taken to illustrate the guidance for actual work by the proposed method.